Autenticació amb Apache i OpenID

Tot i que pot servir per a qualsevol proveïdor que disposi d’una API amb OpenID, aquest document es centre amb Google.

Per tal de fer aquesta autenticació, necessitem instal·lar el mòdul OpenID a l’Apache…

apt-get install libapache2-mod-auth-openidc

Un cop instal·lat, l’hem d’activar…

a2enmod auth_openidc

I reiniciar l’Apache…

/etc/init.d/apache2 restart 

Ara hem de configurar cada domini, o subdomini, per tal que l’Apache sàpiga connectar-se a Google. Podem fer-ho directament al fitxer d’apache /var/www/vhosts/system/DOMINI.TLD/conf/httpd.conf però en aquest exemple, utiltizem un servidor gestionat amb Plesk, aquests canvis es perdrien al reconfigurar el domini, per això és millor fer-ho a través del panell de plesk: Dominis > DOMINI.TLD > Apache & nginx Settings > Additional directives for HTTPS …

OIDCProviderMetadataURL https://accounts.google.com/.well-known/openid-configuration
OIDCClientID XXXXXXXXXXXXXX.apps.googleusercontent.com
OIDCClientSecret XXXXXXXXXXXXXX
# OIDCRedirectURI is a vanity URL that must point to a path protected by this module but must NOT point to any content
# https://gluu.org/docs/ce/integration/sswebapps/openidc-rp/ diu: don't set this to a path used by your server. The apache-filter uses the redirect_uri to process the response from the OpenID Provider
OIDCRedirectURI https://DOMINI.TLD/protegitambOpenID/callBack/
OIDCCryptoPassphrase XXXXXX
OIDCScope "openid email profile"
OIDCSessionInactivityTimeout 864000
OIDCSessionMaxDuration 0

OIDCClientID i OIDCClientSecret ho hem d’agafar de Google: https://console.developers.google.com/ > Googles APIs > Credenciales > IDs de cliente de OAuth 2.0

OIDCRedirectURI és una URL de comunicació entra Apache i Google que ha d’existir, per tant…

OIDCCryptoPassphrase és un contrasenya que decidim nosaltres per encriptar les comunicacions entre el servidor i Google

OIDCSessionInactivityTimeout és el temps màxim d’inactivitat abans no es tanqui la sessió, per defecte són 5 minuts (300 segons), en aquest cas ens interessa deixar-ho a 24 hores (3600 x 24 = 86400) que és el màxim permès.

OIDCSessionMaxDuration és el temps màxim que pot durar la sessió, per defecte són 8 hores (28800 segons). Si ho deixem a 0, ho defineix el token del proveïdor (Google en aquest cas)

mkdir /var/www/vhosts/DOMINI.TLD/httpdocs/protegitambOpenID/ && /var/www/vhosts/DOMINI.TLD/httpdocs/protegitambOpenID/callBack/

altres opciones que hem descartat…

##              OIDCProviderBackChannelLogoutSupported On
##              OIDCSessionType server-cache[:persistent]|client-cookie[:persistent]
#               OIDCDefaultLoggedOutURL https://DOMINI.TLD/protegitambOpenID/index.php
#               OIDCDefaultURL https://DOMINI.TLD/protegitambOpenID/index.php
#               OIDCProviderEndSessionEndpoint https://www.google.com/accounts/Logout

Tornant a Google, hem de definir quines són les URL que ens interessen (https://console.developers.google.com/ > Googles APIs > Credenciales > IDs de cliente de OAuth 2.0) …

Orígens de JavaScript autoritzats…
https://DOMINI.TLD

URIs de redirecció autoritzats…
https://DOMINI.TLD/protegitambOpenID/callBack/

Ja quasi hem acabat, ara només ens falta definir a partir de quin directori requerim aquesta autenticació i quins usuaris permetem, aquest exemple, només usuaris de DOMINI.TLD …

touch /var/www/vhosts/DOMINI.TLD/httpdocs/protegitambOpenID/.htaccess 
echo>/var/www/vhosts/DOMINI.TLD/httpdocs/protegitambOpenID/.htaccess "AuthType openid-connect"
echo>>/var/www/vhosts/DOMINI.TLD/httpdocs/protegitambOpenID/.htaccess "Require  claim hd:DOMINI.TLD"

Altres opcions del fitxer .htaccess…

AuthType openid-connect
Require claim hd:DOMINI.TLD
# Require claim email~^[a-zA-Z0-9_.+-]+@(?:(?:[a-zA-Z0-9-]+\.)?[a-zA-Z]+\.)?(DOMINI)\.TLD$
# Require valid-user
# Require claim email:XXXXXXXXXX@gmail.com
# Require user XXXXXXXXXXX@accounts.google.com

Alguns recursos utilitzats…

https://stackoverflow.com/questions/24675976/how-to-authenticate-domains-on-apache-with-google-apps
http://findingscience.com/mod_auth_openid/
https://stackoverflow.com/questions/37557703/user-list-for-mod-auth-openidc
https://github.com/zmartzone/mod_auth_openidc/blob/master/auth_openidc.conf
https://github.com/zmartzone/mod_auth_openidc/wiki
https://openid.net/specs/openid-connect-frontchannel-1_0.html
https://openid.net/specs/openid-connect-backchannel-1_0.html
https://stackoverflow.com/questions/1385082/openid-how-do-you-logout
https://stackoverflow.com/questions/1968814/how-to-add-logout-feature-to-an-openid-enabled-site
https://stackoverflow.com/questions/4202161/google-account-logout-and-redirect
https://stackoverflow.com/questions/38835222/google-api-oauth-2-0-titanium-required-parameter-is-missing-response-type
https://stackoverflow.com/questions/47235093/how-to-redirect-to-last-link-after-login-from-google-in-php

URL de proves pel retorn que ja no utilitzem (per no esborrar-les definitivament)…

https://accounts.google.com/o/oauth2/v2/auth?client_id=861350014651-cd0ntto3g5dflg9vh3vgvksjvdo8sqge.apps.googleusercontent.com&response_type=code&scope=email&nonce=1232314&redirect_uri=https://DOMINI.TLD/protegitambOpenID/index.php

https://accounts.google.com/Logout?client_id=861350014651-cd0ntto3g5dflg9vh3vgvksjvdo8sqge.apps.googleusercontent.com&response_type=code&scope=email&nonce=1232314&redirect_uri=https://DOMINI.TLD/protegitambOpenID/index.php

https://www.google.com/accounts/Logout?continue=https://accounts.google.com/o/oauth2/v2/auth?client_id=861350014651-cd0ntto3g5dflg9vh3vgvksjvdo8sqge.apps.googleusercontent.com&response_type=code&scope=email&nonce=1232314&redirect_uri=https://DOMINI.TLD/protegitambOpenID/index.php

https://www.google.com/accounts/Logout?continue=https://accounts.google.com/o/oauth2/v2/auth?client_id=861350014651-cd0ntto3g5dflg9vh3vgvksjvdo8sqge.apps.googleusercontent.com&response_type=code&scope=email&nonce=1232314&redirect_uri=https://DOMINI.TLD/protegitambOpenID/index.php

https://www.google.com/accounts/Logout?continue=https%3A%2F%2Faccounts.google.com%2Fo%2Foauth2%2Fv2%2Fauth%3Fclient_id%3D861350014651-cd0ntto3g5dflg9vh3vgvksjvdo8sqge.apps.googleusercontent.com%26response_type%3Dcode%26scope%3Demail%26nonce%3D1232314%26redirect_uri%3Dhttps%3A%2F%2FDOMINI.TLD%2FprotegitambOpenID%2Findex.php

https://www.google.com/accounts/Logout?continue=https%3A%2F%2Faccounts.google.com%2Fo%2Foauth2%2Fv2%2Fauth%3Fclient_id%3D861350014651-cd0ntto3g5dflg9vh3vgvksjvdo8sqge.apps.googleusercontent.com%26response_type%3Dcode%26scope%3Demail%26nonce%3D1232314%26redirect_uri%3Dhttps%3A%2F%2FDOMINI.TLD%2FprotegitambOpenID%2F%3Flogout%3Dget

https://www.google.com/accounts/Logout?continue=https%3A%2F%2Faccounts.google.com%2Fo%2Foauth2%2Fv2%2Fauth%3Fclient_id%3D861350014651-cd0ntto3g5dflg9vh3vgvksjvdo8sqge.apps.googleusercontent.com%26response_type%3Dcode%26scope%3Demail%26nonce%3D1232314%26redirect_uri%3Dhttps%3A%2F%2FDOMINI.TLD%2FprotegitambOpenID%2F%3Flogout.php

https://www.google.com/accounts/Logout?continue=https%3A%2F%2Faccounts.google.com%2Fo%2Foauth2%2Fv2%2Fauth%3Fclient_id%3D861350014651-cd0ntto3g5dflg9vh3vgvksjvdo8sqge.apps.googleusercontent.com%26response_type%3Dcode%26scope%3Demail%26nonce%3D1232314%26redirect_uri%3Dhttps%3A%2F%2FDOMINI.TLD%2FprotegitambOpenID%2F%3Flogout%3Dlogout.php

https://www.google.com/accounts/Logout?continue=https%3A%2F%2Faccounts.google.com%2Fo%2Foauth2%2Fv2%2Fauth%3Fclient_id%3D861350014651-cd0ntto3g5dflg9vh3vgvksjvdo8sqge.apps.googleusercontent.com%26response_type%3Dcode%26scope%3Demail%26nonce%3D1232314%26redirect_uri%3Dhttps%3A%2F%2FDOMINI.TLD%2FprotegitambOpenID%2Flogout.php

https://DOMINI.TLD/protegitambOpenID/index.php

https://accounts.google.com/signin/oauth/oauthchooseaccount?client_id=861350014651-cd0ntto3g5dflg9vh3vgvksjvdo8sqge.apps.googleusercontent.com&as=L0AYJcQRWis-_nw1ZB27NQ&destination=https%3A%2F%2FDOMINI.TLD&approval_state=!ChR2cTJUZ1AyV0dBd255SlFKdk15LRIfazVZRVUteXUxOWNjMEVBN1JaNXdOM1BOLVdwUWh4WQ%E2%88%99APNbktkAAAAAXEg8r9e1yaoQiGYtGddcXljCQqVyIAJn&oauthgdpr=1&xsrfsig=ChkAeAh8T9_6DKlq45PStu_-U9jd41O_1NFGEg5hcHByb3ZhbF9zdGF0ZRILZGVzdGluYXRpb24SBXNvYWN1Eg9vYXV0aHJpc2t5c2NvcGU&flowName=GeneralOAuthFlow